From what I have read, this can be done by creating a
.htaccess file but I'm not sure how to allow the webserver access to these files but at the same time prevent someone in using a browser from downloading the file directly (by typing it into the address bar) e.g.
www.website.com/RestrictedFolder/RestrictedFile.zip

Any ideas?

store them outside the webroot and then just serve the file to them, using a script, when they are allowed to access it

So, PHP is able to access files outside of the webroot?
Is this as simple as just using: ../../../File.zip
and using the ../ will take it outside of the webroot?

I suppose the other alternative would be to specify the full path in the script?

I usually use full path from server root

I am a novice at this so forgive my ignorance, but can't you put them in a new folder and protect that folder with .htaccess and .htpasswd files? Or is that what you mean by storing them outside the server root?

>> what you mean by storing them outside the server root

actually outside of the web root

your web site has a directory that is specified as it's root, for example where you would put your index file that a user would get if they typed www.yoursite.com into the address bar.

This is not the root of the server itself, this is just the directory that is specified as the root of any given domain in httpd.conf or similar web server config file.

Hosting accounts normally have other directories that are above this web root directory that are completely non accesible via a web browser.

>>> Hosting accounts normally have other directories that are above this web root directory that are completely non accesible via a web browser.

Like I said before, I am a novice at this and not being facetious so, what are these other directories for and how do you access them?
I have only uploaded 1 site and that is direct to an ftp address, rather than with ftp software. When I log into the ftp address I can see 4 folders. A docs folder, which is the web root, a secure folder, rafiles folder and a log folder.
Is the secure folder one of the other directories you speak of? And what is the rafiles for?

Sorry if this is off topic.

Cheers, Peter.

What jatar means is that when you type in www.somewebsite.com the webserver automatically directs the user to your webroot (whatever this is called in yours...docs folder).
If you make a new folder called RestrictedFolder then no-one can access this folder apart from the server.

Anything inside this folder would not be accessible by typing in www.somewebsite.com and only a script or someone standing in front of the computer with a keyboard could access these files

It is therefore secure.

For example, at the moment on yours, no-one can access the rafiles folder and log folder via browser. They either need to do it via ftp (with correct password) or via direct access to the server (keyboard, passwords, etc.)

Thanks jack.

So if I created RestrictedFolder, hypothetically, would the script needed to access it amount to a log-in page and then re-direct to ../RestrictedFolder?

Sorry if this is a stupid question but I need to have a restricted area of my site and I don't really know how to go about it.

having a restricted area is possibly something different than having files which are not accessible through a browser.

In jackvull's case, there are downloadable files which need to not be directly accessible through the browser. There can be a script that is within the webroot that can authenticate the user and then go get the necessary file and serve it to the user.

is this what you mean or do you want a "logged in" section of your website?

Thanks jatar,

On my site, there will be about 8 different pages specific to 8 different users, this could grow to more. I want to allow the different users to be able to access that page that is meant for them only.

i.e.
user A can gain access to userA.htm
user B can gain access to userB.htm
user C can gain access to userC.htm
etc etc

I don't want user A to be able to access userC.htm and so on.
I thought about creating folders, within the webroot, specific to each user and protecting each folder but like I said, I'm not sure about the best (easiest) way to do it.
BTW, I'm trying to stay away from databases, if that is possible.

Could anyone tell me if this is possible or if I am barking up the wrong tree.

I am trying to learn PHP, albeit slowly, but I'm just not sure how to acheive what I need.

If one of you can point me in the right direction, I would be grateful.

You can do it the way you suggest but IMHO it's a lot of work for something that you can do with PHP in little time.

Get a login page set up with PHP, then in your script you can automatically display HTML appropriate for the user.
For example, if user 1 logs in, you store this information in a session and then all pages after that display info. appropriate for user 1.
If user 2 logs in then only display information for user 2. That way you only need 1/2 PHP pages anmd you don't need to mess around with server access and .htaccess files.

So 1 PHP login page, which redirects the user;
2nd PHP page generating the content dynamically;
add other PHP pages as necessary.

Of course, to be secure each of the PHP pages must first check the session and if the user hasn't logged in, it could redirect them to the login page.

Sound okay? You will be better off learning how to do it this way than hiding multiple HTML pages. This is exactly the kind of dynamic thing that server side scripting was made for.

Thanks jack,

That all sounds good to me, I will endeavour to learn how to do that.

you could try this thread for some information
[webmasterworld.com...]